From 6151b6210cf4639c97ef1af8f15374496a23fa31 Mon Sep 17 00:00:00 2001
From: samerton <samerton@users.noreply.github.com>
Date: Fri, 5 Aug 2022 17:56:35 +0100
Subject: [PATCH] Convert more StaffCP actions to POST requests - Email error
 delete/purge - Minecraft query error purge - Error log purge - User report
 close/re-open

---
 .../Default/core/emails_errors.tpl            | 12 ++++--
 .../Default/core/emails_errors_view.tpl       |  5 ++-
 .../Default/core/errors_view.tpl              |  8 +++-
 .../Default/core/users_reports_view.tpl       | 14 ++++++-
 .../minecraft/minecraft_query_errors.tpl      |  6 ++-
 modules/Core/pages/panel/emails_errors.php    | 34 ++++++++++-----
 modules/Core/pages/panel/errors.php           | 20 +++++++--
 .../pages/panel/minecraft_query_errors.php    | 13 +++++-
 modules/Core/pages/panel/users_reports.php    | 42 +++++++++++++------
 9 files changed, 116 insertions(+), 38 deletions(-)

diff --git a/custom/panel_templates/Default/core/emails_errors.tpl b/custom/panel_templates/Default/core/emails_errors.tpl
index a8640f8c3a..5203dd1b48 100644
--- a/custom/panel_templates/Default/core/emails_errors.tpl
+++ b/custom/panel_templates/Default/core/emails_errors.tpl
@@ -114,7 +114,10 @@
                     </div>
                     <div class="modal-footer">
                         <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
-                        <a href="{$PURGE_LINK}" class="btn btn-primary">{$YES}</a>
+                        <form action="{$PURGE_LINK}" method="post" style="display: inline">
+                            <input type="hidden" name="token" value="{$TOKEN}" />
+                            <input type="submit" class="btn btn-primary" value="{$YES}" />
+                        </form>
                     </div>
                 </div>
             </div>
@@ -135,7 +138,10 @@
                     </div>
                     <div class="modal-footer">
                         <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
-                        <a href="" id="deleteLink" class="btn btn-primary">{$YES}</a>
+                        <form action="" id="deleteAction" method="post" style="display: inline">
+                            <input type="hidden" name="token" value="{$TOKEN}" />
+                            <input type="submit" class="btn btn-primary" value="{$YES}" />
+                        </form>
                     </div>
                 </div>
             </div>
@@ -152,7 +158,7 @@
         }
 
         function showDeleteModal(id) {
-            $('#deleteLink').attr('href', '{$DELETE_LINK}'.replace('{literal}{x}{/literal}', id));
+            $('#deleteAction').attr('action', '{$DELETE_LINK}'.replace('{literal}{x}{/literal}', id));
             $('#deleteModal').modal().show();
         }
     </script>
diff --git a/custom/panel_templates/Default/core/emails_errors_view.tpl b/custom/panel_templates/Default/core/emails_errors_view.tpl
index 9f50149723..b148539de0 100644
--- a/custom/panel_templates/Default/core/emails_errors_view.tpl
+++ b/custom/panel_templates/Default/core/emails_errors_view.tpl
@@ -132,7 +132,10 @@
                     </div>
                     <div class="modal-footer">
                         <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
-                        <a href="{$DELETE_ERROR_LINK}" class="btn btn-primary">{$YES}</a>
+                        <form action="{$DELETE_ERROR_LINK}" method="post" style="display: inline">
+                            <input type="hidden" name="token" value="{$TOKEN}" />
+                            <input type="submit" class="btn btn-primary" value="{$YES}" />
+                        </form>
                     </div>
                 </div>
             </div>
diff --git a/custom/panel_templates/Default/core/errors_view.tpl b/custom/panel_templates/Default/core/errors_view.tpl
index 13575bc35e..409169a18e 100644
--- a/custom/panel_templates/Default/core/errors_view.tpl
+++ b/custom/panel_templates/Default/core/errors_view.tpl
@@ -43,6 +43,9 @@
                             </div>
                             <hr />
 
+                            <!-- Success and Error Alerts -->
+                            {include file='includes/alerts.tpl'}
+
                             {if isset($LOG)}
                             <pre class="error_log">
                                 {$LOG}
@@ -85,7 +88,10 @@
                     </div>
                     <div class="modal-footer">
                         <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
-                        <a href="{$PURGE_LOG_LINK}" class="btn btn-primary">{$YES}</a>
+                        <form action="{$PURGE_LOG_LINK}" method="post">
+                            <input type="hidden" name="token" value="{$TOKEN}">
+                            <input type="submit" class="btn btn-primary" value="{$YES}">
+                        </form>
                     </div>
                 </div>
             </div>
diff --git a/custom/panel_templates/Default/core/users_reports_view.tpl b/custom/panel_templates/Default/core/users_reports_view.tpl
index 3be23bffdf..5b477e9796 100644
--- a/custom/panel_templates/Default/core/users_reports_view.tpl
+++ b/custom/panel_templates/Default/core/users_reports_view.tpl
@@ -109,9 +109,9 @@
                                     <input type="submit" value="{$SUBMIT}" class="btn btn-primary">
                                     <div class="float-md-right">
                                         {if isset($CLOSE_REPORT)}
-                                        <a href="{$CLOSE_LINK}" class="btn btn-danger">{$CLOSE_REPORT}</a>
+                                        <button type="button" onclick="closeReport()" class="btn btn-danger">{$CLOSE_REPORT}</button>
                                         {else}
-                                        <a href="{$REOPEN_LINK}" class="btn btn-danger">{$REOPEN_REPORT}</a>
+                                        <button type="button" onclick="reopenReport()" class="btn btn-danger">{$REOPEN_REPORT}</button>
                                         {/if}
                                     </div>
                                 </div>
@@ -139,6 +139,16 @@
 
     {include file='scripts.tpl'}
 
+    <script type="text/javascript">
+        function closeReport() {
+          $.post("{$CLOSE_LINK}", { token: "{$TOKEN}" }).done(function () { window.location.reload(); });
+        }
+
+        function reopenReport() {
+          $.post("{$REOPEN_LINK}", { token: "{$TOKEN}" }).done(function () { window.location.reload(); });
+        }
+    </script>
+
 </body>
 
 </html>
\ No newline at end of file
diff --git a/custom/panel_templates/Default/integrations/minecraft/minecraft_query_errors.tpl b/custom/panel_templates/Default/integrations/minecraft/minecraft_query_errors.tpl
index 886287dc7d..99ad3bc2af 100644
--- a/custom/panel_templates/Default/integrations/minecraft/minecraft_query_errors.tpl
+++ b/custom/panel_templates/Default/integrations/minecraft/minecraft_query_errors.tpl
@@ -126,13 +126,15 @@
                 </div>
                 <div class="modal-footer">
                     <button type="button" class="btn btn-secondary" data-dismiss="modal">{$NO}</button>
-                    <a href="{$PURGE_QUERY_ERRORS_LINK}" class="btn btn-primary">{$YES}</a>
+                    <form action="{$PURGE_QUERY_ERRORS_LINK}" method="post" style="display: inline">
+                        <input type="hidden" name="token" value="{$TOKEN}" />
+                        <input type="submit" class="btn btn-primary" value="{$YES}" />
+                    </form>
                 </div>
             </div>
         </div>
     </div>
 
-
     <!-- End Wrapper -->
 </div>
 
diff --git a/modules/Core/pages/panel/emails_errors.php b/modules/Core/pages/panel/emails_errors.php
index 8cf07c0e48..b5bcc42be3 100644
--- a/modules/Core/pages/panel/emails_errors.php
+++ b/modules/Core/pages/panel/emails_errors.php
@@ -21,21 +21,28 @@
 require_once(ROOT_PATH . '/core/templates/backend_init.php');
 
 if (isset($_GET['do'])) {
-    if ($_GET['do'] == 'purge') {
-        // Purge all errors
+    if (in_array($_GET['do'], ['delete', 'purge'])) {
+        if (Token::check()) {
+            if ($_GET['do'] == 'purge') {
+                // Purge all errors
 
-        DB::getInstance()->delete('email_errors', ['id', '<>', 0]);
+                DB::getInstance()->delete('email_errors', ['id', '<>', 0]);
 
-        Session::flash('emails_errors_success', $language->get('admin', 'email_errors_purged_successfully'));
-        Redirect::to(URL::build('/panel/core/emails/errors'));
-    }
+                Session::flash('emails_errors_success', $language->get('admin', 'email_errors_purged_successfully'));
+                Redirect::to(URL::build('/panel/core/emails/errors'));
+            }
 
-    if ($_GET['do'] == 'delete' && isset($_GET['id']) && is_numeric($_GET['id'])) {
+            if ($_GET['do'] == 'delete' && isset($_GET['id']) && is_numeric($_GET['id'])) {
 
-        DB::getInstance()->delete('email_errors', ['id', $_GET['id']]);
+                DB::getInstance()->delete('email_errors', ['id', $_GET['id']]);
 
-        Session::flash('emails_errors_success', $language->get('admin', 'error_deleted_successfully'));
-        Redirect::to(URL::build('/panel/core/emails/errors'));
+                Session::flash('emails_errors_success', $language->get('admin', 'error_deleted_successfully'));
+                Redirect::to(URL::build('/panel/core/emails/errors'));
+            }
+        } else {
+            Session::flash('emails_errors_error', $language->get('general', 'invalid_token'));
+            Redirect::to(URL::build('/panel/core/emails/errors'));
+        }
     }
 
     if ($_GET['do'] == 'view' && isset($_GET['id']) && is_numeric($_GET['id'])) {
@@ -216,6 +223,10 @@
     ]);
 }
 
+if (Session::exists('emails_errors_error')) {
+    $errors = [Session::flash('emails_errors_error')];
+}
+
 if (isset($errors) && count($errors)) {
     $smarty->assign([
         'ERRORS' => $errors,
@@ -231,7 +242,8 @@
     'EMAILS_LINK' => URL::build('/panel/core/emails'),
     'EMAIL_ERRORS' => $language->get('admin', 'email_errors'),
     'PAGE' => PANEL_PAGE,
-    'BACK' => $language->get('general', 'back')
+    'BACK' => $language->get('general', 'back'),
+    'TOKEN' => Token::get(),
 ]);
 
 $template->onPageLoad();
diff --git a/modules/Core/pages/panel/errors.php b/modules/Core/pages/panel/errors.php
index 3bd68e4901..500edddff0 100644
--- a/modules/Core/pages/panel/errors.php
+++ b/modules/Core/pages/panel/errors.php
@@ -21,9 +21,13 @@
 require_once(ROOT_PATH . '/core/templates/backend_init.php');
 
 if (isset($_GET['log'], $_GET['do']) && $_GET['do'] == 'purge') {
-    file_put_contents(implode(DIRECTORY_SEPARATOR, [ROOT_PATH, 'cache', 'logs', $_GET['log'] . '-log.log']), '');
-    Session::flash('error_log_success', $language->get('admin', 'log_purged_successfully'));
-    Redirect::to(URL::build('/panel/core/errors'));
+    if (Token::check()) {
+        file_put_contents(implode(DIRECTORY_SEPARATOR, [ROOT_PATH, 'cache', 'logs', $_GET['log'] . '-log.log']), '');
+        Session::flash('error_log_success', $language->get('admin', 'log_purged_successfully'));
+        Redirect::to(URL::build('/panel/core/errors'));
+    } else {
+        Session::flash('error_log_error', $language->get('general', 'invalid_token'));
+    }
 }
 
 // Load modules + template
@@ -69,6 +73,13 @@
         $smarty->assign('NO_LOG_FOUND', $language->get('admin', 'log_file_not_found'));
     }
 
+    if (Session::exists('error_log_error')) {
+        $smarty->assign([
+            'ERRORS' => [Session::flash('error_log_error')],
+            'ERRORS_TITLE' => $language->get('general', 'error')
+        ]);
+    }
+
     $smarty->assign([
         'BACK_LINK' => URL::build('/panel/core/errors'),
         'LOG_NAME' => $title,
@@ -101,7 +112,8 @@
     'DEBUGGING_AND_MAINTENANCE' => $language->get('admin', 'debugging_and_maintenance'),
     'PAGE' => PANEL_PAGE,
     'ERROR_LOGS' => $language->get('admin', 'error_logs'),
-    'BACK' => $language->get('general', 'back')
+    'BACK' => $language->get('general', 'back'),
+    'TOKEN' => Token::get(),
 ]);
 
 $template->onPageLoad();
diff --git a/modules/Core/pages/panel/minecraft_query_errors.php b/modules/Core/pages/panel/minecraft_query_errors.php
index dc326deed9..5a67691198 100644
--- a/modules/Core/pages/panel/minecraft_query_errors.php
+++ b/modules/Core/pages/panel/minecraft_query_errors.php
@@ -23,8 +23,13 @@
 
 if (!isset($_GET['id'])) {
     if (isset($_GET['action']) && $_GET['action'] == 'purge') {
-        DB::getInstance()->delete('query_errors', ['id', '<>', 0]);
-        Session::flash('panel_query_errors_success', $language->get('admin', 'query_errors_purged_successfully'));
+        if (Token::check()) {
+            DB::getInstance()->delete('query_errors', ['id', '<>', 0]);
+            Session::flash('panel_query_errors_success', $language->get('admin', 'query_errors_purged_successfully'));
+        } else {
+            Session::flash('panel_query_errors_error', $language->get('general', 'invalid_token'));
+        }
+
         Redirect::to(URL::build('/panel/minecraft/query_errors'));
     }
 
@@ -119,6 +124,10 @@
     $success = Session::flash('panel_query_errors_success');
 }
 
+if (Session::exists('panel_query_errors_error')) {
+    $errors = [Session::flash('panel_query_errors_error')];
+}
+
 if (isset($success)) {
     $smarty->assign([
         'SUCCESS' => $success,
diff --git a/modules/Core/pages/panel/users_reports.php b/modules/Core/pages/panel/users_reports.php
index 31d6e24a65..f52fe06513 100644
--- a/modules/Core/pages/panel/users_reports.php
+++ b/modules/Core/pages/panel/users_reports.php
@@ -306,9 +306,16 @@
             // Close report
             if (is_numeric($_GET['id'])) {
                 // Get report
-                $report = DB::getInstance()->get('reports', ['id', $_GET['id']])->results();
-                if (count($report)) {
-                    DB::getInstance()->update('reports', $report[0]->id, [
+                $report = DB::getInstance()->get('reports', ['id', $_GET['id']]);
+                if ($report->count()) {
+                    $report = $report->first();
+
+                    if (!Token::check()) {
+                        Session::flash('report_error', $language->get('general', 'invalid_token'));
+                        die();
+                    }
+
+                    DB::getInstance()->update('reports', $report->id, [
                         'status' => 1,
                         'date_updated' => date('Y-m-d H:i:s'),
                         'updated' => date('U'),
@@ -316,16 +323,16 @@
                     ]);
 
                     DB::getInstance()->insert('reports_comments', [
-                        'report_id' => $report[0]->id,
+                        'report_id' => $report->id,
                         'commenter_id' => $user->data()->id,
                         'comment_date' => date('Y-m-d H:i:s'),
                         'date' => date('U'),
-                        'comment_content' => $language->get('moderator', 'x_closed_report', ['user' => Output::getClean($user->data()->username)])
+                        'comment_content' => $language->get('moderator', 'x_closed_report', ['user' => $user->getDisplayname()])
                     ]);
                 }
 
                 Session::flash('report_success', $language->get('moderator', 'report_closed'));
-                Redirect::to(URL::build('/panel/users/reports/', 'id=' . urlencode($report[0]->id)));
+                Redirect::to(URL::build('/panel/users/reports/', 'id=' . urlencode($report->id)));
             }
 
             Redirect::to(URL::build('/panel/users/reports'));
@@ -335,9 +342,16 @@
             // Reopen report
             if (is_numeric($_GET['id'])) {
                 // Get report
-                $report = DB::getInstance()->get('reports', ['id', $_GET['id']])->results();
-                if (count($report)) {
-                    DB::getInstance()->update('reports', $report[0]->id, [
+                $report = DB::getInstance()->get('reports', ['id', $_GET['id']]);
+                if ($report->count()) {
+                    $report = $report->first();
+
+                    if (!Token::check()) {
+                        Session::flash('report_error', $language->get('general', 'invalid_token'));
+                        die();
+                    }
+
+                    DB::getInstance()->update('reports', $report->id, [
                         'status' => false,
                         'date_updated' => date('Y-m-d H:i:s'),
                         'updated' => date('U'),
@@ -345,16 +359,16 @@
                     ]);
 
                     DB::getInstance()->insert('reports_comments', [
-                        'report_id' => $report[0]->id,
+                        'report_id' => $report->id,
                         'commenter_id' => $user->data()->id,
                         'comment_date' => date('Y-m-d H:i:s'),
                         'date' => date('U'),
-                        'comment_content' => $language->get('moderator', 'x_reopened_report', ['user' => $user->data()->username])
+                        'comment_content' => $language->get('moderator', 'x_reopened_report', ['user' => $user->getDisplayname()])
                     ]);
                 }
 
                 Session::flash('report_success', $language->get('moderator', 'report_reopened'));
-                Redirect::to(URL::build('/panel/users/reports/', 'id=' . urlencode($report[0]->id)));
+                Redirect::to(URL::build('/panel/users/reports/', 'id=' . urlencode($report->id)));
             }
 
             Redirect::to(URL::build('/panel/users/reports'));
@@ -371,6 +385,10 @@
     $success = Session::flash('report_success');
 }
 
+if (Session::exists('report_error')) {
+    $errors = [Session::flash('report_error')];
+}
+
 if (isset($success)) {
     $smarty->assign([
         'SUCCESS' => $success,